Spanish Data Protection Agency Annual Report

At the end of September 2005, the head of the Spanish Data Protection Agency (SDPA) appeared before the Congress to present the Data Protection Agency’s annual report. In addition to presenting the results for 2004, Mr Piñar Mañas took the opportunity to provide the audience with a few figures and explain certain significant developments.

The Spanish Data Protection Agency

It is of interest that the budget of the SDPA is expected to be increased by 35 per cent this year. If this increase is confirmed, the SDPA budget will have doubled in only two years. That is a sign of the increasing importance given to data protection and the significance accorded to SDPA activity.

The annual report

The most significant statistics from the annual report are as follows:

Fines imposed in 2004 amounted to 16,439,801 Euros, almost double the figure reached in the previous year.

In 2004, 141,987 files were registered. This represents an increase of 32 per cent on the previous year.

The Spanish Data Protection Act requires that the Data Protection Agency pre-authorise international transfers of data to countries that do not ensure an adequate level of protection. In this respect 56 requests for authorisation were made during 2004 (in comparison with 19 requests in 2003). 47 of the authorisations requested in 2004 were granted (40 of them to the United States).

Throughout 2004, the Agency received 35,251 consultations (12 per cent more than the previous year). Much of the advice given had to do with subject access rights and rights to object to processing.

The SDPA produced 587 legal reports during 2004 (8 per cent more than in 2003)

Following Instruction 1/2004, SDPA decisions are now published on its website. More than 1,200 decisions have already been published.

In 2004, the SDPA began 978 inquiries; 273 sanctioning procedures where filed against private controllers and 28 against public ones. In addition, 469 procedures in relation to data subjects’ rights (“tutela de derechos”) were initiated. Accordingly Mr Piñar Mañas stated that in global terms, inspections have increased 70 per cent with regard to the previous year.

Note that contrary to trends observed in previous years in which the majority of claims and procedures related to banking and financial companies, in 2004 there were a significant number of claims in the Telecommunications and E-commerce sector, with spam being one of the most important issues. Throughout the year, the SDPA initiated 83 inquiries relating to commercial communications by e-mail and similar methods (e.g. SMS).

Draft Secondary Regulations

In addition to the annual report, Mr Piñar Mañas announced Draft Secondary Regulations in relation to data protection. The current version of the draft contains the following provisions:

Precise information obligations will be imposed to make sure that the data subject is fully informed when he consents to the collection or processing of his personal data

The permitted purposes for processing data will be further delimited

An expansive definition of health data will be set out

The contractual requirements between data controller and data processor will be further clarified

Technical and organisational security measures will be set out, confirming those that are already required for automated processing and expanding on those adapted for manual processing. These security requirements are especially important when processing certain types of data like biometric information, or traffic and location data in electronic communications

In line with the work of the Article 29 Data Protection Working Party, notification obligations will be reviewed in order to simplify compliance

In order to clarify the regulation of international transfers of data, possible new solutions such as binding corporate rules will be permitted

The Secondary Regulations will probably be published in the early part of next year.